b'                                                      u.s. OFFICE OF PERSONNEL MANAGEMENT\n                                                                  OFFICE OF THE INSPECTOR GENERAL\n                                                                                   OFFICE OF AUDITS\n\n\n\n\n                                    Final Audit Report\n                                                                                                                                         -\n Sub;ect:\n\n                AUDIT OF INFORMATION SYSTEMS\n\n             GENERAL AND APPLICATION CONTROLS AT\n\n               BLUECROSS BLUESHIELD OF FLORlDA\n\n\n\n                                             Report No. IA-IO-41-09-063\n\n                                             Date:                 May 21,           2010\n\n\n\n\n                                                         . --CAUTION-\xc2\xad\n  This audit r-eporl has b.:en distributed 10 Federal and Non-Fedenl ollicials who He responsible for lhe administration of lhe audited\n  eontneL This audit report may conlain propriclary data which is protecled by I\'ed\':rallaw (18 U.S.c. 1905). Therefore, while Ihis audit\n  report is available under the Freedom of Jnformation Ad and made a~\xc2\xb7aibbll\xc2\xb7 1o Ihe public on the OIG ,,"cbpag.:, eaulion needs 10 be\n  exercised before releasing the reporl to the genual publi~ as it ma~\' conlain proprietary ;nform3tion lhat was redacled from the publicly\n. distributed copy.                                                                                                .\n\n\n                                                                   ...\n\x0c                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                        Washington, DC 20415\n\n\n   Office of the\nInspector General\n\n\n                                        Audit Report\n\n\n                    FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n\n                                 CONTRACT CS 1039\n\n                          BLUECROSS BLUESHIELD OF FLORIDA\n\n                                 PLAN CODES 090/590\n\n                                JACKSONVILLE, FLORIDA\n\n\n\n\n\n                                Report No. IA-IO-41-09-063\n\n\n                                Date:         May 21, 2010\n\n\n\n\n\n                                                               Michael R. Esser\n                                                               Assistant lnspector General\n                                                                 for Audits\n\n\n\n\n        www.opm.goy                                                               www.usajobs.goY\n\x0c                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n\n                                                Washington, DC 20415\n\n\n\n   Office of the\nInspeclOf General\n\n\n\n\n                                           Executive Summary\n\n\n                    FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n\n                                 CONTRACT CS 1039\n\n                             BLUECROSS BLUESHIELD OF FLORIDA\n\n                                    PLAN CODES 090/590\n\n                                      JACKSONVILLE, FLORIDA\n\n\n\n\n\n                                       Report No. lA-lO-41-09-063\n\n                                       Date:           May 21\xc2\xab     2010\n\n\n        This final report discusses the results of our audit of general and application controls over the\n        infonnation systems at BlueCross BlueShield of Florida (BCBSFL).\n\n        Our audit focused on the claims processing applications used to adjudicate Federal Employees\n        Health Benefits Program (FEHBP) claims for BCBSFL, as well as the various processes and\n        information technology (IT) systems used to support these applications. We documented\n        controls in place and opportunities for improvement in each of the areas below.\n\n        Security Management\n       BCBSFL has established a comprehensive series of IT policies and procedures to create an\n       awareness of IT security at the Plan. We verified that BCBSFL\'s policies and procedures are\n       maintained on the Plan\'s intranet site in a manner that is easily accessible by employees.\n\n       Access Controls\n       We found that BCBSFL has implemented numerous physical controls to prevent unauthorized\n       access to its facilities, as well as logical controls to prevent unauthorized access to its\n       information systems. However, the logical access controls for one application critical to the\n       claims adjudication process could be improved. In addition, BCBSFL is analyzing the\n       etIectiveness of its current controls related to the secure transmission of electronic data.\n\n\n\n                                               ---       -\'-------~-~----~._-~---------\n        www.opm.gov                                                                              www.usajobs.go..\n\x0cConfiguration Management\nBCBSFL has developed formal policies and procedures providing guidance to ensure that system\nsoftware is appropriately configured and updated, as well as for controlling system software\nconfiguration changes.\n\nContingency Planning\nWe reviewed BCBSFL\'s business continuity plans and concluded that they contained most of the\nkey elements suggested by relevant guidance and publications. We also determined that these\ndocuments are reviewed, updated, and tested on a periodic basis.\n\nApplication Controls\nBCBSFL has implemented many controls in its claims adjudication process to ensure that\nFEHBP claims are processed accurately. However, we recommended that BCBSFL implement\nseveral system modifications to ensure that its claims processing systems adjudicate FEHBP\nclaims in a maImer consistent with the aPM contract and other regulations.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that BCBSFL is not in compliance with\nthe HIPAA security, privacy, and national provider identifier regulations.\n\n\n\n\n                                              11\n\x0c                                          Contents\n\n                                                                                            Page\n   Executive Sun1mary\t                                                                         i\n\nI.\t Introduction                                                       -                       1\n\n   Background                                                                                  I\n\n   Objectives                                                                                  I\n\n   Scope                                                                                       2\n\n   Methodology                                                                                 2\n\n   Compliance with Laws and Regulations                                                        3\n\nII.\t Audit Findings and Recommendations                                                       .4\n\n   A. Security Management\t                                                                     4\n\n   B. Access Controls\t                                                                         4\n\n   C. Configuration Management..\t                                                              7\n\n   D.\t Contingency Planning                                                                    7\n\n   E. Application Controls\t                                                                    8\n\n   F. Health Insurance Portability and Accountability Act..                                   12\n\nIll. Major Contributors to This Report                                                        14\n\n\nAppendix: BJueCross BJueShieJd Association\'s February 3, 2010 response to the draft audit\nreport issued December 3,2009.\n\x0c                                       I. Introduction\n\nThis final report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing\nFederal Employees Health Benefits Program (FEHBP) claims at BIueCross BlueShield of\nFlorida (BCBSFL or Plan).\n\nThe audit was conducted pursuant to Contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code of\nFederal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of\nPersonnel Management\'s (OPM) Office of the Inspector General (DIG), as established by the\nInspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created 10 provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\naPM through regulations codified in Title 5, Chapter t\', Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nBCBSFL headquarters is located in Jacksonville, Florida. Employees responsible for processing\nP\'EHBP (also, Federal Employee Program or FEP) claims are also located in Jacksonville,\nFlorida.\n\nThis was the DIG\'s second audit of general and application controls at BCBSFL. During this\naudit we verified that the audit findings from the first audit, conducted in 2003, have been\nclosed.\n\nAll BCBSFL personnel that worked with the auditors were particularly helpful and open to ideas\nand suggestions. They viewed the audit as an opportunity to examine practices and to make\nchanges or improvements as necessary. Their positive attitude and helpfulness throughoutlhe\naudit was greatly appreciated.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability ofFEHBP data processed and maintained in BCBSFL\'s IT environment.\nThese objectives were accomplished by reviewing the following areas:\n \xe2\x80\xa2   Security management;\n \xe2\x80\xa2   Access controls;\n \xe2\x80\xa2   Configuratipn management;\n \xe2\x80\xa2   Segregation of duties;\n \xe2\x80\xa2   Contingency planning;\n \xe2\x80\xa2   Application controls specific to BCBSFL\' s claims processing systems; and\n\x0c \xe2\x80\xa2\t Health Insurance Portability and Accountability Act (HIPAA) compliance.\n\nScope\nThis performance audit was conducted in accordance with generally accepted government\nauditing standards issued by the Comptroller General of the United States. Accordingly, the GIG\nobtained an understanding ofBCBSFL\'s internal controls through interviews and observations,\nas well as inspection of various documents, including information technology and other related\norganizational policies and procedures. This understanding of BCBSFL\'s internal controls was\nused in planning the audit by detennining the extent of compliance testing and other auditing\nprocedures necessary to verify that the internal controls were properly designed, placed in\noperation, and effective.\n\nThe OIG evaluated the confidentiality, integrity, and availability ofBCBSFL\'s computer-based\ninformation systems used to process FEHBP claims, and found that there are opportunities for\nimprovement in the information systems\' internal controls. These areas are detailed in the\n"\'Audit Findings and Recommendations" section of this report.\n\nThe scope of this audit centered on the claims processing systems that process FEHBP claims for\nBCBSFL, as well as the business structure and control environment in which they operate.\nThese systems include the "Diamond" local claims processing system owned and operated by\nBCBSFL, and the FEP Express system owned and operated by the BlueCross BlueShield\nAssociation\n,          \'\n            (BCBSA). BCBSFL is an independent licensee of the BCBSA.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nBCBSFL. Due to time constraints, we did not verify the reliability of the data used to complete\nsome of our audit steps, but we determined that it was adequate to achieve our audit objectives.\nHowever, when our objective was to assess computer-generated data, we completed audit steps\nnecessary to obtain evidence that the data was valid and reliable.\n\nThe audit was performed at BCBSFL offices in Jacksonville, Florida. These on-site activities\nwere performed in September and October 2009. The GIG completed additional audit work\nbefore and after the on-site visits at OPM\'s office in Washington, D.C. The findings,\nrecommendations, and conclusions outlined in this report are based on the status of information\nsystem general and application controls in place at BCBSFL as of November 6, 2009.\n\nMethodology\nIn conducting this review the DIG:\n\xe2\x80\xa2\t Gathered documentation and conducted interviews;\n\xe2\x80\xa2\t Reviewed BCBSFL\'s business structure and environment;\n\xe2\x80\xa2\t Perfonned a risk assessment ofBCBSFL\'s information systems environment and\n   applications, and prepared an audit program based on Lhe assessment and the Government\n   Accountability Office\'s (GAO) Federal Information System Controls Audit Manual\n   (FISCAM); and\n\n\n                                                2\n\x0c\xe2\x80\xa2\t Conducted various compliance tests to determine the extent to which established controls and\n   procedures were functioning as intended. As appropriate, the auditors used judgmental\n   sampling in completing their compliance testing.\n\nVarious laws, regulations, and industry standards were used as a guide to evaluating BCBSFL\'s\ncontrol structure. This criteria includes, but is not limited to, the following publications:\n\xe2\x80\xa2\t Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2\t Information Technology Governance Institute\'s CobiT: Control Objectives for Information\n   and Related Technology;\n\xe2\x80\xa2\t GAO\'s Federal Information System Controls Audit Manual;\n\xe2\x80\xa2\t National Institute of Standards and Technology\'s Special Publication (NIST SP) 800-12,\n   Introduction to Computer Security;\n\xe2\x80\xa2\t NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n   Technology Systems;\n\xe2\x80\xa2\t NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2\t NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2\t NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information\n   Systems;\n\xe2\x80\xa2\t NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2\t NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n   Security Rule; and\n\xe2\x80\xa2\t The Health Insurance Portability and Accountability Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, the OIG performed tests to determine whether BCBSFL\'s practices were\nconsistent with applicable standards. While generally compliant with respect to the items tested,\nBCBSFL was not in complete compliance with all standards, as described in the "Audit Findings\nand Recommendations" section of this report.\n\n\n\n\n                                               3\n\n\x0c                  II. Audit Findings and Recommendations\n\n\nA. Security Management\n  The security management component of this audit involved the examination of the policies\n  and procedures that are the foundation ofBCBSFL\'s overall IT security controls. The GIG\n  evaluated the adequacy ofBCBSFL\'s ability to develop security policies, manage risk, assign\n  security-related responsibility, and monitor the effectiveness of various system-related\n  controls.\n\n  BCBSFL has implemented a series of formal policies and procedures that comprise a\n  comprehensive entity-wide security program. The Plan has organized a Policy Committee\n  that has the responsibility for creating, maintaining, and routinely reviewing security-related\n  policies and procedures.\n\n  The GIG also reviewed BCBSFL\'s human resources policies and procedures related to the\n  security aspects of hiring, training, transferring, and terminating employees. We verified that\n  BCBSFL\'s policies and procedures are maintained on the Plan\'s intranet site in a manner that\n  is easily accessible by employees.\n\nB.\t Access Controls\n   Access controls are the policies, procedures, and techniques used to prevent or detect\n\n   unauthorized physical or logical access to sensitive resources.\n\n\n   The GIG examined the physical access controls of BCBSFL\' s primary facilities in\n   Jacksonville, Florida, as weB as the additional physical and environmental controls\n   protecting the Plan\'s data center, mail room, and check printing facilities.\n\n  Access to all BCBSFL facilities and secure areas within those facilities is controlled by an\n  electronic access card system. Card readers are located on interior and exterior doors\n  throughout the buildings, and the system is capable oflimiting an individual\'s access to the\n  physical areas required by their job function.\n\n  The OIG also examined the logical controls protecting sensitive data on BCBSFL\'s network\n  environment and claims processing related applications. The controls documented during\n  this review include, but were not limited to:\n  \xe2\x80\xa2\t   Appropriate management of firewalls, remote access, and wireless access;\n  \xe2\x80\xa2\t   Monitoring potential security configuration weaknesses through vulnerability testing;\n  \xe2\x80\xa2\t   Procedures for controlling sensitive data transferred to portable media;\n  \xe2\x80\xa2\t   Procedures for appropriately granting and disabling access to information systems;\n  \xe2\x80\xa2\t   Procedures for reviewing existing system access for appropriateness;\n  \xe2\x80\xa2\t   Procedures for controlJing and monitoring access of privileged system users; and\n  \xe2\x80\xa2\t   Procedures for appropriately removing system and physical access for terminated\n\n       employees.\n\n\n\n\n                                               4\n\n\x0cAlthough BCBSFL has implemented a variety of techniques to protect its IT environment,\nwe did document two opportunities for improvement related to access controls.\n\n1. Authentication Controls for Scanning and Data Verification Application\n\n   A software application critical to BCBSFL\'s claims adjudication process does not have\n   adequate authentication controls.\n\n   BCBSFL has contracted with                                             erform its front\xc2\xad\n   end claims processing operations.        uses an app lcatJOn ca e          to scan paper\n   claims and perform optical character recognition and data verificatJOn e ore the claims\n   are loaded into the claims adjudication system.\n\n   The authentication controls governing access t o _ r e q u i r e _\n                    However, there are no additional password com~\n   This configuration does not meet the requirements ofBCBSFL\'s Authentication Security\n   Standard which requires all passwords to maintain a history of six passwords, and \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2\n\n\n  _acknowledged the risk associated with non-compliance with password policy at the\n      lication level and stated that the risk is mitigated by the inability of users to launch the\n                        from an outside network and the fact that access is controlled by the\n                                                 However, many of BCBSFL\'s applications\n   cannot e aunc e rom outSl e t e an\'s network and also require\n  _        yet these applications are still subject to the requirements of the Plan\'s\n   Authentication Security Standard.\n\n  \xe2\x80\xa2  informed the OlG of its efforts to roll out additional\n\n  _ t o several .pplications over the next year.\n\n\n   Recommendation 1\n   We recommend that ACS and BCBSFL continue their efforts to ensure that the\n   authentication controls for all applications that process FEP data meet the requirements of\n   BCBSFL\'s Authentication Security Standard.\n\n   BCBSFL Response:\n   "BCBSFL agrees with this recommendation. The ACS CISO Policy and Governance\n   team recognizes the risks associated with non-compliance with password policy at the\n   application level and is monitoring remediation efforts across the enterprise. One such\n   effort involves the WebDE application in use within the BCBSFL operations\xe2\x80\xa2 ...\n\n   The ACS Security Engineering team is deploying afederated solution/rom the Novell\n   Identity Management product line to provide front-end aUlhentication to several\n   internal ACS applications. This product is to he piloted in all ACS business unil using\n   the WehDE application and should he rolled out 10 all WebDE instances over the \'\n   course ofnext year. The pilot process began in September 2009 and is expected to be\n\n\n                                              5\n\n\x0c   completed by the end ofthe calendar year. On December 16, 2009, this policy was\n   amendedfor clarification regarding the ACS pilot group. ACS WebDE team had pre\xc2\xad\n   determined groups they would utilize during the pilot phase. This pilot group does not\n   include any ofthe BCBSFL SBp\'s. ACS anticipates the successful completion ofthe\n   pilot phase by the end oftheftrst quarter of 2010. Barring unforeseen technical issues,\n   BCBSFL hopes to implement this solution within the SBV\'s by the end ofSecond\n   Quarter of 2010."\n\n   DIG Reply:\n   As part of the audit resolution process, we recommend that BCBSFL provide OPM\'s\n   RBO with supporting documentation detailing progress made in addressing this\n   recommendation.\n\n2. Secure Transmission of Electronic Data\n\n   BCBSFL has implemented content filters designed to encrypt sensitive data sent via\n   email or transmitted to a portable media device. However, the email filter was unable to\n   detect social security numbers (SSN) that were not formatted in the traditional maImer\n   (###-##-####).\n\n   BCBSFL has policies and procedures in place to manage the protection of physical and\n   electronic data. The Plan has implemented controls to detect sensitive data such as SSNs\n   that are transmitted to portable media or sent through email. When a transmission of\n   sensitive data to a portable media device is detected, the filtering software will warn the\n   user of their responsibility to protect sensitive data, and wilJ send an alert of the\n   transmission to BCBSFL\'s information security team. When sensitive data is sent over\n   email, the filter is designed to automatically encrypt the message and send it to the\n   recipient through a secure web link.\n\n   Auditors tested these controls by attempting to move files containing valid SSNs to a\n   portable media device and by sending them through emails. The filter for portable media\n   devices appeared to be functioning as intended. In addition, SSNs sent via email in the\n   traditional format (###-##-####) were appropriately detected and secured by the filtering\n   controls. However, valid SSNs formatted without dashes (#########) were not detected\n   and were transmitted in an unencrypted, insecure manner.\n\n   ]-]JPAA Security Standard \xc2\xa7 164.312(e)( I) requires that Plans "implement technical\n   security measures to guard against unauthorized access to electronic protected health\n   information that is being transmitted over an electronic communications network."\n\n   Recommendation 2\n   We recommend that BCBSFL make the appropriate changes to its email filter settings to\n   ensure that all social security numbers and other sensitive data are blocked from being\n   transmitted in an insecure manner.\n\n\n\n\n                                            6\n\n\x0c         BCBSFL Response:\n         uBCBSFL is in the process ofperforming an analysis ofcurrent traffic patterns and\n         preliminmy results indicate that ,the recommended change in the emailfilter would\n         result in primarily capturing and encrypting non-privacy related emails that include zip\n         codes, addresses and phone numbers. However, the Plan willfinaiize its analysis of\n         the results by April 30, 2010 and make appropriate enhancements as required to\n         mitigate risks. "\n\n         OIG Reply:\n         As part of the audit resolution process, we recommend that BCBSFL provide OPM\'s\n         RBO with documentation detailing the final results of its analysis and any enhancements\n         made to its controls related to protecting the electronic transmission of sensitive data.\n\nc.   Configuration Management\n     BCBSFL\'s local claims processing system is housed in a sever environment with the AIX\n     operating platform.\n\n     BCBSFL has developed fonnal policies and procedures providing guidance to ensure that\n     system software is appropriately configured and updated, as well as for controlling system\n     software configuration changes.\n\n     The following policies and procedures were examined:\n     \xe2\x80\xa2   Change Management Policy\n     \xe2\x80\xa2   Vulnerability Testing Procedures\n     \xe2\x80\xa2   Vulnerabilily Patch Management Standard\n     \xe2\x80\xa2   AIX Configuration Security Baseline\n     \xe2\x80\xa2   Web Server Security Standard\n     \xe2\x80\xa2   Application Server Security Standard\n\n     Auditors verified that these policies are being appropriately foHowed and did not detect any\n     weaknesses in BCBSFL\'s configuration management methodology. We also conducted\'a\n     limited review of the security settings ofBCBSFL\'s AIX configuration and did not identify\n     any weaknesses in the seltings.\n\nD. Contingency Planning\n     The DIG reviewed BCBSFL\'s service continuity program to detennine if (1) procedures\n     were in place to protect information resources and minimize the risk of unplanned\n     interruptions, and (2) a plan existed to recover critical operations should interruptions occur.\n\n     In an effort to assess BCBSFL\'s contingency planning capabilities, we evaluated\n     documentalion related to the Plan\'s procedures that ensure continuity of its FEP business\n     unit, including:\n     \xe2\x80\xa2   BCBSFL\' s Mission Critical Employees Standard Operating Procedure;\n\n\n                                                   7\n\n\x0c  8\t  IT Disaster Recovery/Systems Continuity Standard; and\n  \xe2\x80\xa2 Several business units\' continuity plans including the claims department and check\n  printing plans.\n\n  The OIG found that each of these documents contain a majority of the key elements ofa\n  comprehensive service continuity program suggested by NIST SP 800-34, "Contingency\n  Planning Guide for IT Systems." BCBSFL\'s service continuity documentation explicitly\n  identifies the systems that are critical to continuing business operations, prioritizes these\n  systems, and outlines the specific resources needed to support each system. Each of these\n  documents is reviewed, updated, and tested regularly.\n\nE. Application Controls\n  Application Configuration Management\n  The OIG evaluated the policies and procedures governing software development and change\n  control of the Plan\'s claims processing application.\n\n  BCBSFL has adopted a traditional system development life cycle methodology that IT\n  personnel foHow during routine software modifications. The Plan has also implemented a\n  fonnal approval process for change requests. The following controls related to testing and\n  approvals of software modifications were observed:\n  \xe2\x80\xa2\t BCBSFL has adopted practices that allow modifications to be tracked;\n  \xe2\x80\xa2\t Parallel testing and unit testing are conducted in accordance with industry standards; and\n  \xe2\x80\xa2\t BCBSFL has a team dedicated to testing FEP modifications.\n\n  The OIG also observed the foJlowing controls related to the maintenance of software\n\n  libraries:\n\n  \xe2\x80\xa2\t BCBSFL utilizes a "Build and Release Tool" to move the code between the segregated\n     libraries.\n  IIIBCBSFL clearly segregates application development and change control activities along\n     organizational lines.\n  \xe2\x80\xa2\t BCBSFL utilizes versioning of the source code to detennine if appropriate changes are\n     implemented as expected.\n\n  Claims Processing System\n  The DIG evaluated the input, processing, and output controls associated with BCBSFL\' s\n  local claims processing system and the FEP Express system. In terms of input controls, the\n  GIG documented the policies and procedures adopted by BCBSFL to help ensure that: 1)\n  there are co\xc2\xb7ntrols over the inception of claims data into the system; 2) the data received\n  comes from the appropriate sources; and 3) the data is entered into the claims database\n  correctly. BCBSFL\'s methods for reconciling processing totals against input totals and for\n  evaluating the accuracy of its processes were also reviewed. Auditors also examined the\n  security of physical input and output (paper claims, checks, explanations of benefits, etc.).\n\n\n\n\n                                                8\n\n\x0cApplication Controls Testing\nTo validate the claims processing controls, a testing exercise was conducted on the BCBSFL\nlocal system and the BCBSA\'s FEP Express system. This test was conducted at BCBSFL\'s\nJacksonville, Florida facility with the\' assistance of BCBSFL personnel. The exercise\ninvolved developing a test plan that included realistic situations to present to BCBSFL\npersonnel in the form of institutional and professional claims. All test scenarios were\nprocessed through the BCBSFL local claims processing system, and where appropriate, the\nFEP Express system. The test plan included expected results for each test case. Upon\nconclusion of the testing exercise, the expected results were compared with the actual results\nobtained during the exercise.\n\nThe sections below document the opportunities for improvement that were noted related to\napplication controls.\n\n1. Procedure to Diagnosis Inconsistency\n\n   Two test claims were processed where benefits were paid for a procedure associated with\n   an inappropriate diagnosis.\n\n   The OIG entered a test claim into the BCBSFL lo~cedure code for a\n                                   and a diagnosis o~ A second test\n   claim was entered with a procedure code for an                        and a diagnosis\n   of                                 Despite the pro~sistencies, the\n   claims processed through the local system without encountering any edits and were sent\n   to FEP Express. FEP Express also processed and paid these claims without suspending\n   the claims or triggering any edits.\n\n   This system weakness increases the risk that benefits are being paid for procedures\n   associated with a diagnosis that may not warrant such treatment. This issue has been\n   documented in past OIG audits of BCBS plans.\n\n   Recommendation 3\n   We recommend that the BCBSA make the appropriate system modifications to FEP\n   Express to ensure that claims with procedure/diagnosis inconsistencies are flagged for\n   reVIew.\n\n   BCBSFL Response:\n   HBCBSFL disagrees with this recommendation. BCBSFL has implemented and\n   maintains detective system controls to ensure claims with diagnosis inconsistencies are\n   reviewed prior to processing. The Plan has a comprehensive medical policy program\n   that applies necessary controls to ensure services are medically appropriate before\n   approved to pay. However, these controls are not absolute but are intended to identify\n   the common types ofprocedures that are not consistent witlt the diagnosis.\n\n\n\n\n                                            9\n\n\x0c   However, the FEP Director\'s Office is in the process ofanalyzing thefeasibility of\n   using existing commercial medical editing software to address this issue. The analysis\n   will also consider implications across the system and how this process will impact\n   Plans. The anticipated completion datefor this project is late Second Quarter 2010."\n\n   DIG Reply:\n   We believe that comprehensive medical edit software is needed for FEP Express, as\n   multiple 010 audits ofBCBS Plans have detected many weaknesses" in the system\'s\n   medical edit capabilities (including three found during this audit). As part of the audit\n   resolution process, we recommend that the BCBSA provide the REO documentation\n   detailing its efforts in implementing commercial medical editing software.\n\n2. Provider Invalid for Procedure\n\n   Two test claims were processed where a provider was paid for services outside the scope\n   of their license.\n\n   The 010 entered a test claim for professional services into the BCBSFL local s\n   with                                         performed by an\n   This proce ure wou genera y e per orme by an                         Despite the\n   provider/procedure inconsistency, the claim was processed by the BCBSFL local system\n   and FEP Express without encountering any edits.\n\n   A second test claim for professional services entered into the BCBSFL local system\n   indicated that a                           was performed by a n _ This\n   procedure wou genera y e per onne y a                         De~\n   provider/procedure inconsistency, the claim was processed by the BCBSFL local system\n   and FEP Express without encountering any edits.\n\n   This system weakness increases the risk that providers are being paid for services outside\n   the scope of their license.\n\n   Recommendation 4\n   We recommend that the BCBSA make the appropriate system modifications to FEP\n   Express to ensure that medical providers are not paid for services outside the scope of\n   their license.\n\n   BCBSFL Response:\n   "BCBSFL disagrees with this recommendation, given that the Plan has implemented\n   and maintains appropriate system controls to ensure that medical providers are not\n   paidfor services outside the scope oftheir license on n post payment basis. Most\n   physicians declare a specialty and often receive board certification, but with additional\n   training and or experience in other specialty areas, can through the life ofthe practice\n   change their practice specialty to a subset or other areas ofinterest. Therefore, it is\n   impossible to limit a physician when they study in all areas of medicine.\n\n\n                                          " 10\n\x0c  The claim form may indicate one specialty however, some providers have multiple\n  specialties. Edits exist to keep limited license practitioners such as podiatrists from\n  performing medical services outside their scope o/practice and cuntrols are in place\n  which helps ensure that medical providers are paid only for services within the scope of\n  their license. In addition, the Plan does have pre-payment edits in place to identifY\n  providers rendering services outside ofthe scope licensure. Also, the Plan does have\n  post-payment review processes conducted by its Special Investigation Unit and\n\n  Utilization Review areas to identify abnormal billing practices.\n\n\n  However, the FEP Director\'s Office is in the process 0/ analyzing the/easibility of\n  using existing commercial medical editing software to address this issue. The analysis\n  will also consider implications across the system and how this process will impact\n  Plans. The anticipated completion date/or this project is late Second Quarter 2010."\n\n  OIG Reply:\n  We acknowledge the fact that certain providers may be capable of providing a broad\n  range of medical services. However, the inconsistency in this test claim was so extreme\n  that we would expect the system to detect it and suspend the claim for further review.\n  Although the SCBSA searches for these inconsistencies on a post-payment basis, the\n  implementation of preventive controls in the fonn of medical edit software is more\n  effective and less costly. Post-payment reviews should complement rather than replace\n  preventive controls.\n\n  We believe that comprehensive medical edit software is needed for FEP Express, as\n  multiple OIG audits of BCBS Plans have detected many weaknesses in the system\'s\n  medical edit capabilities (including three found during this audit). As part of the audit\n  resolution process, we recommend that BCBSFL provide OPM\'s RBO documentation\n  detailing its efforts in implementing commercial medical editing software.\n\n3. OBRA90 PRlCER Updates\n\n  BCBSFL OBRA90 claims are being processed with an outdated version of the 2009\n  CMS PRICER program.\n\n  The OIG entered seven test claims that are subject to OBRA90 pricing into the BCBSFL\n  local system. The local system sent the claims to FEP Express where they were\n  processed and priced. The auditors priced each claim with the CMS Inpatienl PC\n  PRICER program and compared the Medicare Diagnosis Related Group (DRG) amount\n  produced by the PRICER to the amount produced in the test case.\n\n  In three of the seven test claims, the Medicare DRG amount produced by the October 26,\n  2009 version of the PRICER did not match the amount produced in the test case. The\n  auditors priced these claims again using an older version of the 2009 CMS PRICER\n  program, and in each case the Medicare DRG amount matched that from the test case.\n  The OIG believes that this indicates that FEP Express is processing OBRA90 claims with\n\n\n                                           11\n\n\x0c     an outdated version of the eMS PRICER. As a result, BCBSFL has incorrectly priced\n     some of the OBRA90 claims processed after January 1,2009.\n\n     Recommendation 5 (Draft Audit Report Recommendation 6)\n     We recommend that the BCBSA implement the appropriate system modifications to FEP\n     Express to ensure that OBRA90 claims are priced with the correct version of the CMS\n     PRICER and adjust all OBRA90 claims that were incorrectly priced.\n\n     BCBSFL Response:\n     uBCBSA agrees with this recommendation as the FEP Operations Center\'s OPM\n     approved OBRA \'90 Mainframe Pricer is the official mechanism used to price all FEP\n     claims meeting the OBBA \'90 requirements and not the responsibility ofBCBSFL.\n\n     In tlte past, OPMprovided FEP with any updates to the OBRA \'90 Pricer. Recently,\n     FEP began obtaining the updates directly from CMS. When the first updates were\n     received, it was discovered that the type oftape used by CMS was 110 longer supported\n     by the FEP Data Center. In order to use the CMS tapes, the Operations Center had to\n     find a vendor to convert them into an alternative tape format for usage in the FEP\n     claims system Mainframe OBRA \'90 Pricer. Tltis process resulted in a delay in\n     implementing the CMS updates. All updates receivedfirst and second quarters 2009\n      were updated by July 17,2009, and re-pricing ofthe impacted OBRA\'90 claims will\n     occur prior to year-end 2010. Attachment A is a schedule of when the updates were\n     receivedfrom the various sources and tlte dates that the changes were implemented\n      into the FEP Mainframe OBRA \'90 Pricer Mainframe software. There was a delay in\n     the April 4, 2009 update to the OBRA \'90 Pricer.\n\n     This delay could account for the different pricing generated during tlte claims testing\n     process. "\n\n     DIG Reply:\n     As part of the audit resolution process, we recommend that the BCBSA provide OPM\'s\n     RBO with documentation demonstrating that the impacted cJaims have been\n     appropriately re-priced.\n\nF. Health Insurance Portability and Accountability Act\n  The DIG reviewed BCBSFL\'s efforts to maintain compliance with the security, privacy, and\n  national provider identifier standards of HIP AA. Nothing came to our attention that caused\n  us to believe that BCBSFL is not in compliance with the various requirements of these\n  H1PAA regulations.\n\n  BCBSFL has implemented a series of IT security policies and procedures to adequately\n  address the requirements of the HIPAA security rule. BCBSFL has also developed a series\n  of privacy policies and procedures that direclly addresses all requirements of the HIPAA\n  privacy rule. The documents related to the HIPAA privacy and security rules are readily\n\n\n\n                                             12\n\n\x0cavailable to all BCBSFL employees via the company\'s intranet. BCBSFL employees receive\nprivacy and security-related training during new hire orientation, as well as periodic\nsubsequent training as needed.\n\n]n addition, the OIG documented that BCBSFL has adopted the national provider identifier\nas the standard unique health identifier for health care providers, as required by HIPAA.\n\n\n\n\n                                          13\n\n\x0c                    III. Major Contributors to This Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2        Group Chief\n\xe2\x80\xa2          Auditor~ In-Charge\n\xe2\x80\xa2   ~.IT Auditor\n\xe2\x80\xa2   _  IT Auditor\n\xe2\x80\xa2     IT Auditor\n\n\n\n\n                                              14\n\n\x0c                                 Appendix\n\n                                                                      \xe2\x80\xa2\xe2\x80\xa2\n                                                                       BlueCross BlueSWeld\n                                                                       Association\n                                                                       An Association of Independent\n                                                                       Blue Cross and BIlle Shield Plans\n\n\n\n                                                                       Federal Employee Program\n                                                                       1310 G Street, N.W.\n                                                                       Washington, D.C. 20005\n                                                                       202.942. t 000\nFebruary 3. 2010                                                       Fax 202.942.1125\n\n\n\n\n               Chief\nInformation Systems Audits Group\nInsurance Service Programs\nOffice of Personnel Management\n1900 E Street, N.W., Room 6400\nWashington, D.C. 20415\n\n\nReference:\t OPM DRAFT EDP AUDIT REPORT\n            Florida Blue Cross Blue Shield\n            Audit Report Number 1A\xc2\xb710-41-09-063\n\n\nDearMr._\n\nThis report is in response to the above-referenced U.S. Office of Personnel\nManagement (OPM) Draft Audit Report covering the Federal Employees\' Health\nBenefits Program (FEHBP) Audit of Information Systems General and Application\nControls for the Florida Blue Cross Blue Shield Plan\'s interface with the FEP claims\nprocessing system, access and security controls. Our comments regarding the\nfindings in this report are as follows:\n\nA.   ACCESS CONTROLS\n\n     1. Authentication Controls for Scanning and Data Verification Application\n\n        Recommendation 1\n\n        OIG recommended that Affiliated Computer Services (ACS) and Blue Cross\n        Blue Shield of Florida (BCBSFL) continue its efforts to ensure that the\n        authentication controls for all applications that process FEP\'s data that meet\n        the requirements of BCBSFL\'s Authentication Security Standard.\n\x0c            , Chief\nFebruary 3, 2010\nPage 2\n\n\n        BCBSFL Response to -Recommendation 1\n\n        BCBSFL agrees with this recommendation. The ACS CISO Policy and\n        Governance team recognizes the risks associated with non-compliance with\n        password policy at the application level and is monitoring remediation efforts\n        across the enterprise. One such effort involves the WebDE application in use\n        within the BCBSFL operations. WebDE based data entry application does\n        not adhere to the ACS Information Security Standard\'s password policy\n        requirements for password complexity. WebDE is one of several legacy\n        applications in use at ACS which does not adhere to this poJicy and is part of\n        a temporary exception granted by the ACS Security Governance Committee.\n        The exception was granted on the basis of existing mitigating controls and a\n        commitment by the application developers to research, pilot, and deploy a\n        new authentication mechanism for these applications by using a federated\n        solution to front end the applications.\n\n        The mitigating controls protecting access to the WebDE application include\n        the inability of users to launch the web application from an outside system or\n        network. The application can only be initiated from an active directory\n        authenticated session on the production or administration domain.\n        Additionally, use of the application requires membership within an active\n        directory security group of authorized WebDE users. Therefore, access to\n        the application is controlled through a fully compliant windows domain\n        authentication process and is role based through the security group\n        designation. The WebDE application is entirely an internally hosted\n        application. Access to the web site is restricted to only hosts on the\n        production and administrative networks by perimeter firewalls and the use of\n        restricted routing to the application server.\n\n        The ACS Security Engineering team is deploying a federated solution from\n        the Novell Identity Management product line to provide front-end\n        authentication to several internal ACS applications. This product is to be\n        piloted in an ACS business unit using the WebDE application and should be\n        rolled out to all WebDE instances over the course of next year. The pilot\n        process began in September 2009 and is expected to be completed by the\n        end of the calendar year. On December 16, 2009, this policy was amended\n        for clarification regarding the ACS pilot group. ACS WebDE team had pre\xc2\xad\n        determined groups they would utilize during the pilot phase. This pilot group\n        does not include any of the BCBSFL SBU\'s. ACS anticipates the successful\n        completion of the pilot phase by the end of the first quarter of 2010. Barring\n        unforeseen technical issues, BCBSFL hopes to implement this solution within\n        the SBU\'s by the end of Second Quarter of 2010.\n\x0c\xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2Chief\nFebn\'ary 3, 2010\nPage :)\n\n\n     2. Secure Transmission of Electronic Data\n\n        Recommendation 2\n\n        OIG recommended that BCBSFL make the appropriate changes to its email\n        filter settings to ensure that all social security numbers and other sensitive\n        data are blocked from being transmitted in an insecure manner.\n\n        BCBSFL Response to Recommendation 2\n\n        BCBSFL is in the process of performing an analysis of current traffic patterns\n        and preliminary results indicate that the recommended change in the email\n        filter would result in primarily capturing and encrypting non-privacy related\n        emails that include zip codes, addresses and phone numbers. However, the\n        Plan will finalize its analysis of the results by April 30, 2010 and make\n        appropriate enhancements as required to mitigate risks.\n\nB.   APPLICATION CONTROLS\n\n     1. Procedure to Diagnosis Inconsistency\n\n        Recommendation 3\n\n        OIG recommended that BCBSFL make the appropriate system modifications\n        to ensure that claims with procedure/diagnosis inconsistencies are flagged for\n        review.\n\n        BCBSFL Response to Recommendation 3\n\n        BCBSFL disagrees with this recommendation. BCBSFL has implemented\n        and maintains detective system controls to ensure claims with diagnosis\n        inconsistencies are reviewed prior to processing. The Plan has a\n        comprehensive medical policy program that applies necessary controls to\n        ensure services are medically appropriate before approved to pay. However,\n        these controls are not absolute but are intended to identify the common types\n        of procedures that are not consisted with the diagnosis.\n\n        However, the FEP Director\'s Office is in the process of analyzing the\n        feasibility of using existing commercial medical editing software to address\n        this issue. The analysis will also consider implications across the system and\n        how this process will impact Plans. The anticipated completion date for this\n        project is late Second Quarter 2010.\n\x0c             , Chief\nFebruary 3, 2010\nPage 4\n\n\n     2. Provider Invalid for Procedure\n\n          Recommendation 4\n\n          OIG recommended that BCBSFL make the appropriate system modifications\n          to ensure that medical providers are not paid for services outside the scope of\n          their license.\n\n          BCBSFL Response to Recommendation 4\n\n          BCBSFL disagrees with this recommendation, given that the Plan has\n          implemented and maintains appropriate system controls to ensure that\n          medical providers are not paid for services outside the scope of their license\n          on a post payment basis. Most physicians declare a specialty and often\n          receive board certification, but with additional training and or experience in\n          other specialty areas, can through the life of the practice change their practice\n          specialty to a subset or other areas of interest. Therefore, it is impossible to\n          limit a physician when they study in all areas of medicine.                    \'\n\n          The claim form may indicate one specialty however, some providers have\n          multiple specialties. Edits exist to keep limited license practitioners such as\n          podiatrists from performing medical services outside their scope of practice\n          and controls are in place which helps ensure that medical providers are paid\n          only for services within the scope of their license. In addition, the Plan does\n          have pre-payment edits in place to identify providers rendering services\n          outside of the scope licensure, Also, the Plan does have post-payment\n          review processes conducted by its Special Investigation Unit and Utilization\n          Review areas to identify abnormal billing practices.\n\n          However, the FEP Director\'s Office is in the process of analyzing the\n          feasibility of using existing commercial medical editing software to address\n          this issue. The analysis will also consider implications across the system and\n          how this process will impact Plans. The anticipated completion date for this\n          projectis late Second Quarter 2010.\n\n     3.\n\n          ***Text redacted: not relevant to final audit report**\'"\n\x0c             Chief\nFebruary 3, 2010\nPage 5\n\n\n\n\n        ***Text redacted: not relevant to final audit report***\n\n\n\n\n     4. OBRA \'90 Pricer Updates\n\n        Recommendation 6\n\n        OIG recommended that BCBSFL implement the appropriate system\n        modifications to ensure that OBRA \'90 claims are priced with the correct\n        version of the CMS PRICER, and adjust all OBRA \'90 claims that were\n        incorrectly priced.\n\n        BCBSFL Response to Recommendation 6\n\n        BCBSA agrees with this recommendation as the FEP Operations Center\'s\n        OPM approved OBRA \'90 Mainframe Pricer is the official mechanism used to\n        price all FEP claims meeting the OBRA \'90 requirements and not the\n        responsibility of BCBSFL.\n\n        In the past, OPM provided FEP with any updates to the OBRA \'90 Pricer.\n        Recently, FEP began obtaining the updates directly from CMS. When the\n        first updates were received, it was discovered that the type of tape used by\n        CMS was no longer supported by the FEP Data Center. In order to use the\n        eMS tapes, the Operations Center had to find a vendor to convert them into\n        an alternative tape format for usage in the FEP claims system Mainframe\n        OBRA \'90 Pricer. This process resulted in a delay in implementing the eMS\n        updates. All updates received first and second quarters 2009 were updated\n        by July 17, 2009, and re-pricing of the impacted OBRA \'90 claims will occur\n        prior to year-end 2010. Attachment A is a schedule of when the updates\n        were received from the various sources and the dates that the changes were\n        implemented into the FEP Mainframe OBRA \'90 Pricer Mainframe software.\n        There was a delay in the April 4, 2009 update to the OBRA \'90 Pricer.\n        This delay could account for the different pricing generated during the claims\n        testing process.\n\x0c              Chief\n\nFebruary 3, 2010\n\nPage 6\n\n\n\nWe appreciate the opportunity to provide our response to this Draft Audit Report and\nrequest that our comments be included in their entirety as an amendment to the Final\nAudit Report.\n\nSincerely,\n\n\n\n\nExecutive Director, Program Integrity\n\n\n\n-\nAttachments\ncc:\n\x0cAttachment                                                 A\n\n\n ***Text redacted: not relevant to final audit report***\n\x0cAttachment - B\n\n\n   OBRA \'90\n\n\nUpdates for OBRA \'90\n\n       And\n\nImplementation Dates\n\n\x0c                           HISTORY OF OBRA90 SOFTWARE RECEIVED FROM OPM/CMS\n!DAyr- ,...--\'\nRECEIVED\n                                                      II;t<LY\n                                                 UPDATES FOUND DATE\n                                                                      --\nFROM                                             ONCMS          INSTALLED IN\nOPM/CMS\n.-\xc2\xad      SOFTWARE RECEIVED    NEW/UPDATES        WEBSITE   FOR  PRODUCTION Probleml Comments                 TT#\n             Medicare Code Editor\n             Software: Version 21,0\n             October 1,2004; CMS\n             Diagnosis Related Groups\n             Software: Version 22.0\n             October 1, 2004; Provider\nNov-04       Specific Files including      New: Yearly Software                           1/1/2005           21210\n                                                                      Provider data\n                                                                      submitted thru Sap\n                                                                      30 2004 & also\n              Provider Specific Files                                 Provider data\n\n              including Pricer Software-ver\n UPDATES: Provider file   submitted thru Dec\n\n   14-Mar-05\n 005,0 (PSF0105). PP5050 updates only                   131 2004             4/8/2005           29375\n                                             UPDATES: Pricer\n                                             Modules - PPCAL046,\n                                             PPCAL051, PPDRV041\n              Provider Specific Files        & PPDRV051; PPSPROV\n\n              including Pricer Software-ver\n - Provider Data files for\n\n   14-Apr-O? 005.1 (PSF0105), PPS051\n 2005; PPSCBSA - Wage                                  6/11/2005    ,   34823\n              Provider Specific Files        UPDATES: PPSPROV \xc2\xad Provider data\n\n              including Pricer Soffware-ver\n Provider Data files for    submitted thru Mar\n\n  17-May-05\n 005.1 (PSF0405), PPS051 2005                               31 2005             6/11/2005        34823\n              Provider Specific Files        UPDATES: PPSPROV \xc2\xad Provider data\n\n              including Pricer Software-ver\n Provider Data fites for    submitted thru Jun\n\n  24\xc2\xb7Aug-05\nf---.\n              005.1   (PSF0705),  PPS051\n    2005                       302005              10/15/2005       51377\n              Medicare Code Editor\n\n              Software: Version 22.0\n\n              October 1, 2005; eMS\n\n              Diagnosis Related Groups\n\n              Software: Version 23.0\n\n              October 1, 2005; Provider\n\n    13-0ct-05 Specific Files inclUding       New: Yearly Software                           1/1/2006         39456\n\x0c                                         UPDATES: Pricer\n           Provider Specific Files       Modules - PPCAL061 &\n           including Pricer Software-ver PPDRV061; PPSPROV \xc2\xad\n20-0ec-05 006.1 (PSF1005), PPS061 Provider Data files for               2/11/2006                                 58485\n                                         UPDATES: Pricer\n                                         Modules\xc2\xb7 PPCAL062,\n           Provider Specific Files       PPDRV062 & New CICS\n           including Pricer Software-ver interface module\n28-Feb-06 006,2 (PSF01 06), PPS062 PPOPN062; PPSPROV \xc2\xad                      6/17/2006                             63698\n           Provider Specific Files       UPDATES: PPSPROV-                                 Found 15 New Providers\n           including Pricer Software\xc2\xb7ver Provider Data files for            07/07/2006     were added & 51 Old\n13-Jun-06 006.2 (PSF0406), PPS062 2006                                      (08/12/2006)   Providers were deleted 67022\n           Medicare Code Editor\n           Software: Version 23.0\n           October 1, 2006; eMS\n           Diagnosis Related Groups                                     1\n           Software: Version 24.0\n           October 1, 2006; Provider\n           Specific Files including\n           Pricer Software\xc2\xb7ver 007,2\n           (PSF0706), PPS072 along\n           with Provider Specific Files\n           including Pricer Software-ver New: Yearly Software for\n 25-0ct-06 007.1 (PSF0706), PPS071 2007 & updates for 2007,\n21-Nov-06 and Provider Specific Files 2006, 2005 & 2004.                    1/2/2007                               58479\n                                                                                           Problems found with\n                                                                                           some Utah & Arizona\n                                                                    I                      Providers that were\n                                                                                           dropped for the last\n                                                                                           quarter of 2006 PPS\n                                                                                           Provider files. Upon\n                                                                                           receiving an e-mail\n          I\n\n          I                                                                                confirmation from Sarah\n 7-Feb-07i                                                                  3/2/2007       Shirey @ CMS, the 2006 78423\n\x0c          ProVider Specific Files       UPDATES:PPSPROV\xc2\xb7                                      Found 137 New\n          including Pricer Software-ver Provider Data files for                               Providers were added &\n3D-Mar-O? 007.2 (PSF0107), PPS072 2007                                           5/18/2007    16 Old Providers were  81980\n\n                                                                                              Found 22 New Providers\n                                         UPDATES: PPSPROV-                                    were added when\n\n           Provider Specific Files\n                                         Provider Data files for\n                                         2007 & PPSCBSA\xc2\xb7\n                                                                            I\n                compared to previous\n                                                                                              version of PPSPROV\n          ,including Pricer Software-var CBSA (Wage Index) file                               file. Also found 23 new\n\n24-Jul-07\n 007.2 (PSF0407), PPS072 for 2007. ---_ \xe2\x80\xa2....~-\n                                                                                 8/17/2007    CBSA (Wage Index)        88731\n                                                             -~   ...._-\xc2\xad\n          Medicare Code Editor                                                                Found 87 New Providers\n          Software: Version 24.0                                                              were added and 4 Old\n          October 1, 2007; Medicare                                                           Providers were dropped\n          Severity DRG Software (MS.                                        I\n                                                                            ,\n                                                                                              when compared to 2007\n          DRG): Version 25.0 October                                        I\n                                                                                              version of PPSPROV\n          1, 2007; Provider Specific                                                          file. Also found 447 new\n          Flies including Pricer                                                              CBSA (Wage Index)\n          Software-ver 008.4                                                                  records were added\n13-Sep-07 (PSF0710), PPS084 along New: Yearly Software for                                    when compared to 2007\n19-Nov-07 with updated 2007 Pricer   2008 & updates for 2007.                    12/14/2007   version of PPSCBSA file. 81983\n\n                                                                                              Per documentation, a\n                                                                                              new discharge status 70\n                                                                                              was added effective\n                                                                                              4/1/08: Dischargel\n          Medicare Code Editor                                                                transfer to another type\n          Software: Version 24.1 April    Updates: Updated                                    of health care institution\n          1, 2008; Medicare Severity      version of Editor, Grouper                          not defined elsewhere in\n          ORG Software (MS-DRG):          & Pricer software                                   the code list. Also,\n          Version 25.1 April 1, 2008;     effective from 4/1/08                               existing discharge status\n          Provider Specific Files         along with updated                                  code 05 has a definition\n21-Mar-08 including Pricer Software-ver   Provider Data files for                             change effective 4/1/08:\n14~Apr-08 008.5 (PSFOB01), PPS085.        2008.                                  5/9/2008     Dischargedl transferred 101511\n\x0c                                                                                     Defer claims that meet\n                                                                                     OBRA90 requirements 94186\n   N/A                  N/A                      Updates                 8/16/2008   (ie. Attempt all claims to (07BRD114)\n\n           Medicare Code Editor                                                      Found 38 New Providers      98673\n           Software: Version 25.0                                                    were added and 1,336         (OBRA90\n           October 1, 2008; Medicare                                                 Old Providers that were    I Real Time\n           Severity DRG Software (MS\xc2\xad                                                terminated in prior FYs,     Processing)\n           DRG): Version 26.0 October                                                were dropped when           98087\n           1, 2008; Provider Specific                                                compared to 2008            (OBRA90\n           Files including Pricer                                                    version of PPSPROV          YearEnd\n 11-Sep-08 Software-ver 009.3         New: Yearly Software for                       file. Also found 445 new     software\n 10-Nov-08 (PSF0807), PPS093.         2009.                              1/2/2009    CBSA (Wage Index)            install)\n                                                                                                             -\xc2\xad\n\n                                                                                     Modify OBRA90 Patient\n                                                                                     Discharge status (Set        100775\n    N/A                 N/A                      Updates                 4/412009    Pricer Review code           (08BRD028)\n\n                                                                                     Needed to convert 3490\n                                                                                     tapes from CMS to 3590\n                                                                                     tapes as CareFirst does\n                                         UPDATES: Pricer                             not support 3490 tapes\n                                         Modules - PPCAL096,                         anymore effective\n                                         PPDRV096, PPOPN096                          02120/2009.\n03/06/2009 Provider Specific Files       & PPCAL086; PPSPROV                         Found 3,214 New\n03/23/2009 including Pricer Software-ver - Provider Data files for                   Providers were added\n06/08/2009 009.6 (PSF0904), PPS096 2009.                             I   7/18/2009   when compared to        176024\n\x0c'